If possible in your setup you could restrict incoming connections to have either the certificate or belong to an ip-range. This way not all users need to have the certificate. This can be setup in the cloud portal, see below:
It is something I requested a couple of years ago We might try the Idears forum part, because I still think this would be a usefull option.
edit: I think you can add custom requesthandler for /ws/foo and /ws/bar seperately and apply different access restriction configurations to them.
So I actually think you can configure this the way you want it to.